Manage your subscription

NHS plans leave ‘anonymous’ medical data vulnerable

Anonymising the medical records of everyone in England would not keep them safe from prying eyes, individuals could still be identifiable

By Jacob Aron

STARTING in March, the medical records of everyone in England will be transferred from their family doctor to a central database, where the National Health Service and approved researchers can access it. In a leaflet distributed nationwide last month, the NHS assured patients that their records will be anonymised. But privacy researchers say there is a strong possibility that individuals could be identified by their medical history.

You might think deleting personal details would be enough to secure your anonymity. And that is essentially the approach taken by the Health and Social Care Information Centre (HSCIC), which is managing the new database, care.data, for NHS England. Your date of birth, full postcode, NHS number and gender will be linked to a secure code, and only this code joins your medical records on the database.

Decades of privacy research show this won’t necessarily protect your identity, however. “If you link together the episodes of care affecting an individual patient, then in very many cases that is identifiable,” says Ross Anderson of the University of Cambridge. For example, if you know that a celebrity has a certain medical condition, or was in an accident and received treatment on a particular day, it should be possible to identify their complete medical record as not many others are likely to share that particular history. Database managers can instead use techniques to selectively remove information while still leaving it useful for researchers. And this can be quantified&colon; a database is called k-anonymous if a person’s records cannot be distinguished from a subset of the database. A HSCIC spokesperson told New Scientist that any publicly available data will be k-anonymised, but because care.data access is only available to organisations that sign a security contract, similar measures won’t be necessary for the full database.

If you link together the episodes of care affecting a patient, then in many cases that is identifiable

Advertisement

But the NHS approach assumes the system cannot be hacked and that anyone with access is incorruptible. “These measures are by no means sufficient to guarantee privacy,” says Aris Gkoulalas-Divanis, who studies data privacy at IBM Research in Dublin, Ireland, and says the NHS should do more. “If the database leaks out without sufficient anonymisation, this may be catastrophic.”

Anderson agrees that the techniques care.data plans to use will not keep the NHS data secure, because a patient’s entire history is unavoidably linked. “People keep hoping against hope that someone will come up with a magic bullet,” he says. “It is a problem which cannot be solved.”

The US National Security Agency leak is just one example of what happens when private information becomes public. HSCIC could not provide a figure for the number of people expected to have access, but Anderson believes it could be as many as a million. Drug and insurance companies can apply to access the data, and may be able to identify patients by cross-referencing with their own records. On the other hand, external researchers should be able to use the data to improve public health. Ultimately, patients will have to decide for themselves if the trade-off is worth it, or opt out by writing to their doctor.

This article appeared in print under the headline “Your life in their hands”